renma 0.16.0 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +157 -1
- package/README.md +219 -748
- package/architecture.md +533 -0
- package/design.md +469 -0
- package/dist/agent-skills.d.ts +1 -1
- package/dist/agent-skills.d.ts.map +1 -1
- package/dist/agent-skills.js +28 -8
- package/dist/agent-skills.js.map +1 -1
- package/dist/catalog.d.ts +1 -1
- package/dist/catalog.d.ts.map +1 -1
- package/dist/catalog.js +120 -12
- package/dist/catalog.js.map +1 -1
- package/dist/cli-help.d.ts +15 -9
- package/dist/cli-help.d.ts.map +1 -1
- package/dist/cli-help.js +32 -9
- package/dist/cli-help.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +162 -40
- package/dist/cli.js.map +1 -1
- package/dist/commands/bom.d.ts +6 -3
- package/dist/commands/bom.d.ts.map +1 -1
- package/dist/commands/bom.js +27 -7
- package/dist/commands/bom.js.map +1 -1
- package/dist/commands/catalog.d.ts +1 -1
- package/dist/commands/catalog.d.ts.map +1 -1
- package/dist/commands/catalog.js +11 -4
- package/dist/commands/catalog.js.map +1 -1
- package/dist/commands/ci-report.d.ts.map +1 -1
- package/dist/commands/ci-report.js +18 -5
- package/dist/commands/ci-report.js.map +1 -1
- package/dist/commands/diff.js +8 -2
- package/dist/commands/diff.js.map +1 -1
- package/dist/commands/graph.d.ts +6 -2
- package/dist/commands/graph.d.ts.map +1 -1
- package/dist/commands/graph.js +30 -14
- package/dist/commands/graph.js.map +1 -1
- package/dist/commands/inspect.d.ts.map +1 -1
- package/dist/commands/inspect.js +2 -0
- package/dist/commands/inspect.js.map +1 -1
- package/dist/commands/ownership.d.ts +4 -3
- package/dist/commands/ownership.d.ts.map +1 -1
- package/dist/commands/ownership.js +27 -23
- package/dist/commands/ownership.js.map +1 -1
- package/dist/commands/readiness.d.ts +2 -1
- package/dist/commands/readiness.d.ts.map +1 -1
- package/dist/commands/readiness.js +105 -36
- package/dist/commands/readiness.js.map +1 -1
- package/dist/commands/scaffold.d.ts +3 -0
- package/dist/commands/scaffold.d.ts.map +1 -1
- package/dist/commands/scaffold.js +28 -2
- package/dist/commands/scaffold.js.map +1 -1
- package/dist/commands/suggest-metadata.d.ts.map +1 -1
- package/dist/commands/suggest-metadata.js +56 -8
- package/dist/commands/suggest-metadata.js.map +1 -1
- package/dist/commands/suggest-semantic-split.js +3 -3
- package/dist/commands/suggest-semantic-split.js.map +1 -1
- package/dist/commands/trust-graph.d.ts.map +1 -1
- package/dist/commands/trust-graph.js +12 -0
- package/dist/commands/trust-graph.js.map +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +10 -3
- package/dist/config.js.map +1 -1
- package/dist/dependency-resolution.d.ts +6 -0
- package/dist/dependency-resolution.d.ts.map +1 -0
- package/dist/dependency-resolution.js +11 -0
- package/dist/dependency-resolution.js.map +1 -0
- package/dist/diagnostic-ids.d.ts +8 -0
- package/dist/diagnostic-ids.d.ts.map +1 -1
- package/dist/diagnostic-ids.js +8 -0
- package/dist/diagnostic-ids.js.map +1 -1
- package/dist/discovery.d.ts +33 -0
- package/dist/discovery.d.ts.map +1 -1
- package/dist/discovery.js +178 -80
- package/dist/discovery.js.map +1 -1
- package/dist/markdown.d.ts.map +1 -1
- package/dist/markdown.js +15 -0
- package/dist/markdown.js.map +1 -1
- package/dist/model.d.ts +17 -1
- package/dist/model.d.ts.map +1 -1
- package/dist/model.js +4 -1
- package/dist/model.js.map +1 -1
- package/dist/quality-profile.d.ts +91 -0
- package/dist/quality-profile.d.ts.map +1 -0
- package/dist/quality-profile.js +91 -0
- package/dist/quality-profile.js.map +1 -0
- package/dist/repeated-context.d.ts.map +1 -1
- package/dist/repeated-context.js +38 -83
- package/dist/repeated-context.js.map +1 -1
- package/dist/repository-boundary.d.ts +30 -0
- package/dist/repository-boundary.d.ts.map +1 -0
- package/dist/repository-boundary.js +116 -0
- package/dist/repository-boundary.js.map +1 -0
- package/dist/repository-evidence.d.ts +2 -0
- package/dist/repository-evidence.d.ts.map +1 -1
- package/dist/repository-evidence.js +6 -4
- package/dist/repository-evidence.js.map +1 -1
- package/dist/repository-paths.d.ts +19 -2
- package/dist/repository-paths.d.ts.map +1 -1
- package/dist/repository-paths.js +123 -14
- package/dist/repository-paths.js.map +1 -1
- package/dist/rules.d.ts +2 -0
- package/dist/rules.d.ts.map +1 -1
- package/dist/rules.js +322 -256
- package/dist/rules.js.map +1 -1
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +5 -1
- package/dist/scanner.js.map +1 -1
- package/dist/security-diagnostics.d.ts.map +1 -1
- package/dist/security-diagnostics.js +95 -30
- package/dist/security-diagnostics.js.map +1 -1
- package/dist/security-diff.d.ts +5 -2
- package/dist/security-diff.d.ts.map +1 -1
- package/dist/security-diff.js +20 -4
- package/dist/security-diff.js.map +1 -1
- package/dist/security-policy-inventory.d.ts +15 -3
- package/dist/security-policy-inventory.d.ts.map +1 -1
- package/dist/security-policy-inventory.js +123 -26
- package/dist/security-policy-inventory.js.map +1 -1
- package/dist/security-policy.d.ts +7 -0
- package/dist/security-policy.d.ts.map +1 -1
- package/dist/security-policy.js +70 -7
- package/dist/security-policy.js.map +1 -1
- package/dist/security-posture.d.ts.map +1 -1
- package/dist/security-posture.js +2 -1
- package/dist/security-posture.js.map +1 -1
- package/dist/skill-migration.js +2 -0
- package/dist/skill-migration.js.map +1 -1
- package/dist/static-support.d.ts +13 -0
- package/dist/static-support.d.ts.map +1 -0
- package/dist/static-support.js +284 -0
- package/dist/static-support.js.map +1 -0
- package/dist/token-estimator.d.ts +21 -0
- package/dist/token-estimator.d.ts.map +1 -0
- package/dist/token-estimator.js +84 -0
- package/dist/token-estimator.js.map +1 -0
- package/dist/trust-graph.d.ts +3 -3
- package/dist/trust-graph.d.ts.map +1 -1
- package/dist/trust-graph.js +76 -21
- package/dist/trust-graph.js.map +1 -1
- package/dist/types.d.ts +7 -2
- package/dist/types.d.ts.map +1 -1
- package/docs/README.md +61 -0
- package/docs/advanced-skill-authoring.md +147 -0
- package/docs/agent-skills-compatibility.md +508 -0
- package/docs/authoring-guide.md +382 -0
- package/docs/context-conflict-diagnostics.md +32 -0
- package/docs/context-language-diagnostics.md +99 -0
- package/docs/context-lens.md +253 -0
- package/docs/context-lifecycle-diagnostics.md +55 -0
- package/docs/diagnostics.md +406 -0
- package/docs/metadata-budget.md +14 -0
- package/docs/quality-profile.md +123 -0
- package/docs/repository-context-bom.md +172 -0
- package/docs/schemas/repository-context-bom-v2.schema.json +648 -0
- package/docs/schemas/trust-graph-v2.schema.json +301 -0
- package/docs/security-policy.md +354 -0
- package/docs/trust-graph.md +47 -0
- package/docs/user-manual.md +842 -0
- package/examples/context-lens/README.md +101 -0
- package/examples/context-lens/contexts/testing/boundary-value-analysis.md +23 -0
- package/examples/context-lens/lenses/testing/spec-review-boundary-values.md +29 -0
- package/examples/context-lens/lenses/testing/test-design-boundary-values.md +29 -0
- package/examples/context-lens/skills/testing/spec-review/SKILL.md +49 -0
- package/examples/context-repo/README.md +148 -0
- package/examples/context-repo/contexts/domain/payment/idempotency.md +27 -0
- package/examples/context-repo/contexts/testing/boundary-value-analysis.md +26 -0
- package/examples/context-repo/contexts/testing/negative-testing.md +26 -0
- package/examples/context-repo/lenses/testing/spec-review-boundary-values.md +35 -0
- package/examples/context-repo/renma.config.json +12 -0
- package/examples/context-repo/skills/testing/spec-review/SKILL.md +71 -0
- package/examples/context-repo/tools/appium/README.md +14 -0
- package/examples/github-actions/renma-ci-report.yml +36 -0
- package/examples/interactive-placeholder/README.md +104 -0
- package/examples/interactive-placeholder/assets/template.txt +1 -0
- package/examples/interactive-placeholder/renma.config.json +6 -0
- package/examples/interactive-placeholder/skills/replace-placeholder/SKILL.md +54 -0
- package/examples/interactive-placeholder/tools/README.md +48 -0
- package/examples/interactive-placeholder/tools/placeholder-demo.mjs +99 -0
- package/package.json +10 -1
- package/plan-discovery.md +749 -0
- package/plan.md +90 -0
- package/scripts/verify-package.mjs +104 -0
package/plan.md
ADDED
|
@@ -0,0 +1,90 @@
|
|
|
1
|
+
# Renma Roadmap
|
|
2
|
+
|
|
3
|
+
## Current Product Definition
|
|
4
|
+
|
|
5
|
+
Renma 0.18.0 is the current shipped baseline: a Git-native context repository
|
|
6
|
+
and deterministic governance CLI for agent-consumable Skills, Context Lenses,
|
|
7
|
+
Context Assets, local support resources, policies, ownership, lifecycle,
|
|
8
|
+
dependencies, and review evidence.
|
|
9
|
+
|
|
10
|
+
```text
|
|
11
|
+
Skill = focused, bounded workflow entrypoint
|
|
12
|
+
Context Lens = purpose-oriented interpretation over Context Assets
|
|
13
|
+
Context Asset = independently owned source-of-truth knowledge
|
|
14
|
+
```
|
|
15
|
+
|
|
16
|
+
Use platform-native guidance for general Skill authoring, then use Renma for
|
|
17
|
+
repository-specific governance. Renma follows the deterministic boundary:
|
|
18
|
+
|
|
19
|
+
```text
|
|
20
|
+
LLM proposes. Renma verifies. Human approves.
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
## Implemented 0.18.0 Baseline
|
|
24
|
+
|
|
25
|
+
The shipped baseline includes:
|
|
26
|
+
|
|
27
|
+
- focused workflow Skills with explicit usage boundaries rather than thin
|
|
28
|
+
routing-only entrypoints;
|
|
29
|
+
- progressive disclosure through static, reviewable references;
|
|
30
|
+
- first-class Skill-local `references/`, `profiles/`, `examples/`, `scripts/`,
|
|
31
|
+
and `assets/` resources under `skills/**` and `.agents/skills/**`;
|
|
32
|
+
- deterministic ownership, reachability, helper-command, and static support
|
|
33
|
+
relationships, including ambiguity that fails closed;
|
|
34
|
+
- repository-bounded discovery that never follows leaf or directory symlinks,
|
|
35
|
+
with actionable evidence for referenced unusable paths;
|
|
36
|
+
- canonical Agent Skills compatibility, migration guidance, scaffold, inspect,
|
|
37
|
+
and non-editing suggestion workflows;
|
|
38
|
+
- catalog, graph, ownership, Readiness, semantic diff, CI, diagnostics v2, and
|
|
39
|
+
review-bundle projections;
|
|
40
|
+
- security diagnostics, reusable profiles, effective-policy inventory, and
|
|
41
|
+
deterministic compositional policy provenance; and
|
|
42
|
+
- Repository Context BOM v2 and Trust Graph v2 as the first supported
|
|
43
|
+
long-term contracts and the only emitted BOM/Trust Graph schemas.
|
|
44
|
+
|
|
45
|
+
Repository Context BOM v2 is a declared repository manifest, not a record of
|
|
46
|
+
what an LLM consumed. Trust Graph v2 is deterministic review evidence, not a
|
|
47
|
+
subjective score or runtime enforcement system.
|
|
48
|
+
|
|
49
|
+
Historical release detail belongs in [CHANGELOG.md](CHANGELOG.md). Contract
|
|
50
|
+
details live in [architecture.md](architecture.md), [design.md](design.md), and
|
|
51
|
+
the focused documents under [docs/](docs/README.md).
|
|
52
|
+
|
|
53
|
+
## Stable Product Boundaries
|
|
54
|
+
|
|
55
|
+
Renma owns repository discovery and parsing, normalized static evidence,
|
|
56
|
+
validation, deterministic projections, and review-oriented authoring support.
|
|
57
|
+
It does not own live Skill or Context selection, prompt assembly, execution,
|
|
58
|
+
runtime telemetry, hosted gateways, automatic semantic rewriting, or automatic
|
|
59
|
+
policy weakening.
|
|
60
|
+
|
|
61
|
+
## Deferred Skill-to-Skill Discovery Design
|
|
62
|
+
|
|
63
|
+
Graph-based Skill-to-Skill route discovery is not a 0.18.0 feature and has no
|
|
64
|
+
assigned release. The exploratory design in
|
|
65
|
+
[plan-discovery.md](plan-discovery.md) discusses possible `routes_to` metadata,
|
|
66
|
+
discovery aliases, generated routing indexes, and a `skill-index` projection.
|
|
67
|
+
None is an implemented contract.
|
|
68
|
+
|
|
69
|
+
Any future proposal must be reconsidered against the focused-workflow model
|
|
70
|
+
introduced in 0.18.0. It must remain deterministic and static, avoid runtime
|
|
71
|
+
selection, preserve source Skills, and receive an explicit version and contract
|
|
72
|
+
decision before implementation.
|
|
73
|
+
|
|
74
|
+
## Later Candidates
|
|
75
|
+
|
|
76
|
+
Future product decisions may consider imported external consumed-context
|
|
77
|
+
evidence, additive projections over stable evidence, optional semantic-review
|
|
78
|
+
helpers, multi-repository workflows, or review visualizations. These are not
|
|
79
|
+
commitments and have no assigned version.
|
|
80
|
+
|
|
81
|
+
## Explicitly Out Of Scope
|
|
82
|
+
|
|
83
|
+
- accepting task text and automatically selecting or ranking a Skill;
|
|
84
|
+
- fuzzy, embedding, or LLM-based runtime routing;
|
|
85
|
+
- runtime Context loading, injection, prompt assembly, or execution;
|
|
86
|
+
- runtime telemetry collection or hidden consumed-context import;
|
|
87
|
+
- automatic Skill-body rewriting or policy relaxation;
|
|
88
|
+
- arbitrary Skill roots without a reviewed compatibility decision; and
|
|
89
|
+
- advertising deferred `routes_to`, `skill-index`, aliases, or generated
|
|
90
|
+
routing indexes as current behavior.
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
import { mkdtemp, readFile, rm } from "node:fs/promises";
|
|
2
|
+
import os from "node:os";
|
|
3
|
+
import path from "node:path";
|
|
4
|
+
import { spawnSync } from "node:child_process";
|
|
5
|
+
|
|
6
|
+
const cache = await mkdtemp(path.join(os.tmpdir(), "renma-npm-pack-"));
|
|
7
|
+
|
|
8
|
+
try {
|
|
9
|
+
const packed = spawnSync(
|
|
10
|
+
"npm",
|
|
11
|
+
["pack", "--dry-run", "--json", "--cache", cache],
|
|
12
|
+
{ cwd: process.cwd(), encoding: "utf8" },
|
|
13
|
+
);
|
|
14
|
+
if (packed.error) throw packed.error;
|
|
15
|
+
if (packed.status !== 0) {
|
|
16
|
+
throw new Error(packed.stderr.trim() || "npm pack --dry-run failed.");
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
const reports = JSON.parse(packed.stdout);
|
|
20
|
+
const report = reports[0];
|
|
21
|
+
if (!report || !Array.isArray(report.files)) {
|
|
22
|
+
throw new Error("npm pack --dry-run returned no package file list.");
|
|
23
|
+
}
|
|
24
|
+
const files = new Set(report.files.map((file) => file.path));
|
|
25
|
+
|
|
26
|
+
for (const required of [
|
|
27
|
+
"package.json",
|
|
28
|
+
"README.md",
|
|
29
|
+
"dist/index.js",
|
|
30
|
+
"docs/trust-graph.md",
|
|
31
|
+
"docs/schemas/repository-context-bom-v2.schema.json",
|
|
32
|
+
"docs/schemas/trust-graph-v2.schema.json",
|
|
33
|
+
]) {
|
|
34
|
+
requirePackagedPath(files, required);
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
const readme = await readFile("README.md", "utf8");
|
|
38
|
+
for (const rawTarget of markdownLinkTargets(readme)) {
|
|
39
|
+
const target = repositoryRelativeTarget(rawTarget);
|
|
40
|
+
if (!target) continue;
|
|
41
|
+
requirePackagedPath(files, target);
|
|
42
|
+
}
|
|
43
|
+
|
|
44
|
+
for (const forbiddenPrefix of [
|
|
45
|
+
"node_modules/",
|
|
46
|
+
"dist-test/",
|
|
47
|
+
"test/",
|
|
48
|
+
"src/",
|
|
49
|
+
"coverage/",
|
|
50
|
+
".git/",
|
|
51
|
+
]) {
|
|
52
|
+
if ([...files].some((file) => file.startsWith(forbiddenPrefix))) {
|
|
53
|
+
throw new Error(`Package unexpectedly includes ${forbiddenPrefix}`);
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
for (const forbidden of [
|
|
57
|
+
"examples/interactive-placeholder/workspace/output.txt",
|
|
58
|
+
"npm-debug.log",
|
|
59
|
+
]) {
|
|
60
|
+
if (files.has(forbidden)) {
|
|
61
|
+
throw new Error(`Package unexpectedly includes ${forbidden}`);
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
process.stdout.write(
|
|
66
|
+
`Verified ${files.size} packaged files and every README-relative target.\n`,
|
|
67
|
+
);
|
|
68
|
+
} finally {
|
|
69
|
+
await rm(cache, { recursive: true, force: true });
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
function requirePackagedPath(files, target) {
|
|
73
|
+
const normalized = path.posix.normalize(target).replace(/^\.\//, "");
|
|
74
|
+
const present =
|
|
75
|
+
files.has(normalized) ||
|
|
76
|
+
[...files].some((file) => file.startsWith(`${normalized}/`));
|
|
77
|
+
if (!present) {
|
|
78
|
+
throw new Error(`Packaged README target is missing: ${target}`);
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
function markdownLinkTargets(markdown) {
|
|
83
|
+
return [...markdown.matchAll(/!?\[[^\]]*\]\(([^)]+)\)/g)].map(
|
|
84
|
+
(match) => match[1]?.trim() ?? "",
|
|
85
|
+
);
|
|
86
|
+
}
|
|
87
|
+
|
|
88
|
+
function repositoryRelativeTarget(rawTarget) {
|
|
89
|
+
if (
|
|
90
|
+
!rawTarget ||
|
|
91
|
+
rawTarget.startsWith("#") ||
|
|
92
|
+
/^[a-z][a-z0-9+.-]*:/i.test(rawTarget)
|
|
93
|
+
) {
|
|
94
|
+
return undefined;
|
|
95
|
+
}
|
|
96
|
+
const withoutTitle = rawTarget.startsWith("<")
|
|
97
|
+
? rawTarget.slice(1, rawTarget.indexOf(">"))
|
|
98
|
+
: (rawTarget.split(/\s+["']/)[0] ?? rawTarget);
|
|
99
|
+
const target = decodeURIComponent(withoutTitle.split("#", 1)[0] ?? "");
|
|
100
|
+
if (!target || target === ".." || target.startsWith("../")) {
|
|
101
|
+
throw new Error(`README link escapes the package root: ${rawTarget}`);
|
|
102
|
+
}
|
|
103
|
+
return target;
|
|
104
|
+
}
|